sign in sign up
<<
Home , Key (cryptography), List of hash functions

DiSE: Distributed Symmetric-key

Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal shaagraw,pmohasse,pratmukh,[email protected] Visa Research ABSTRACT asymmetric-key setting, namely public-key encryption and signa- Threshold provides a mechanism for protecting se- ture schemes [15, 22, 24, 25, 29, 33, 34, 36, 48, 49, 69] where the cret keys by sharing them among multiple parties, who then jointly signing/decryption key and algorithms are distributed among mul- perform cryptographic operations. An attacker who corrupts upto tiple parties. This is despite the fact that a large fraction of applica- a threshold number of parties cannot recover the secrets or vio- tions that can benefit from stronger secret-key protection primarily late security. Prior works in this space have mostly focused on use symmetric-key cryptographic primitives wherein secret keys definitions and constructions for public-key cryptography and dig- persist for a long time. We review three such examples below: ital signatures, and thus do not capture the security concerns and Secret Management Systems. An increasing number of tools and efficiency challenges of symmetric-key based applications which popular open source software such as Keywhiz, Knox, and Hashicorp commonly use long-term (centralized) master keys to protect data Vault (e.g. see [4]) are designed to automate the management and at rest, authenticate clients on enterprise networks, and secure data protection of secrets such as sensitive data and credentials in cloud- and payments on IoT devices. based settings by encrypting data at rest and managing keys and We put forth the first formal treatment for distributed symmetric- . These tools provide a wide range of features such as key encryption, proposing new notions of correctness, privacy and interoperability between clouds and audit/compliance support. By authenticity in presence of malicious attackers. We provide strong far, the most commonly adopted primitive for encrypting secrets in and intuitive game-based definitions that are easy to understand the storage backend is with a master data and yield efficient constructions. encryption key that encrypts a large number of records. Some of We propose a generic construction of threshold authenticated en- these systems use to provide limited key protection cryption based on any distributed pseudorandom function (DPRF). in an initialization stage but once keys are reconstructed in memory When instantiated with the two different DPRF constructions pro- they remain unencrypted until the system is rebooted. Consider posed by Naor, Pinkas and Reingold (Eurocrypt 1999) and our en- the following statement from Hashicorp Vault’s architecture docu- hanced versions, we obtain several efficient constructions meeting mentation [12]: different security definitions. We implement these variants and “Once started, the Vault is in a sealed state ... When the Vault is initialized provide extensive performance comparisons. Our most efficient it generates an encryption key which is used to protect all the data. That key is instantiation uses only symmetric-key primitives and achieves a protected by a master key. By default, Vault uses a technique known as Shamir’s secret throughput of upto 1 million /decryptions per seconds, sharing algorithm to split the master key into 5 shares, any 3 of which are required to or alternatively a sub-millisecond latency with upto 18 participating reconstruct the master key ... Once Vault retrieves the encryption key, it is able to parties. decrypt the data in the storage backend, and enters the unsealed state."

1 INTRODUCTION Enterprise Network Authentication. Network authentication pro- A central advantage of using cryptographic primitives such as tocols such as Kerberos [6] are widely used to provide a single-sign- symmetric-key encryption is that the safety of a large amount of on experience to users by enabling them to authenticate periodically sensitive data can be reduced to the safety of a very small key. To (e.g. once a day) to a ticket-granting service using their credentials, get any real benefit from this approach, however, the key mustbe to obtain a ticket-granting ticket (TGT) that they use to get access protected securely. One could encrypt the key with another key, to various services such as mail, printers and internal web. The protect it using secure hardware (e.g. HSM, SGX or SE), or split recommended approach for generating the TGT is authenticated en- it across multiple parties. Clearly, the first approach only shifts cryption (e.g. see [5]) using a master secret key in order to provide the problem to protecting another key. On the other hand secure both confidentiality and integrity for the information contained in hardware, co-processors and the like provide reasonable security the ticket. This renders the master secret key an important attack but are not always available, are expensive or not scalable, lack target, as it remains unprotected in memory over a long period. programmability and are prone to side-channel attacks. Splitting the key among multiple parties, i.e. threshold cryp- Multi-device IoT Authentication. The proliferation of a wide range tography, is an effective general-purpose solution, that has re- of Internet of Things (IoT) has provided users with new and conve- cently emerged in practice as an alternative software-only solu- nient ways to interact with the world around them. Such devices tion [2, 10, 11]. Surprisingly, prior to our work, there was no for- are increasingly used to store secrets that are used to authenti- mal treatment of distributed symmetric-key encryption. Prior for- cate users or enable secure payments. Many IoT devices are not mal treatments of threshold cryptography typically focus on the equipped with proper environments to store secret keys, and even when they are, provide developers with little programmability for ∗ An extended abstract [16] of this work appeared in ACM Conference on Computer their applications. It is therefore desirable to leverage the fact that and Communications Security, 2018. The full version [17] can be found at https: //eprint.iacr.org/2018/727.pdf many users own multiple devices (smart phone, smart watch, smart TV, etc.) to distribute the key material among them (instead of proposed definitions. See the overview in Section 2 for amore keeping it entirely on any single device) to enable multi-device detailed discussion. cryptographic functionalities without making strong assumptions Performance Challenges. In addition to not meeting our security about a device’s security features. Given the limited computation notions, existing threshold public-key constructions are too expen- and communication power of many such IoT devices, such dis- sive for symmetric-key use cases, as they are dominated by more tributed primitives should require minimal interaction and limited expensive public-key operations and/or require extensive interac- cryptographic capabilities (e.g. only block-). tion and communication between the parties. Applications that use symmetric-key cryptography often have stringent latency or throughput requirements. Ideally, one would like the distributed 1.1 Technical Challenges encryption/decryption protocols to not be significantly more ex- Modeling security. As discussed earlier, existing threshold cryp- pensive than their non-distributed counterparts. In particular, the tographic definitions and constructions are primarily focused on protocols should have low computation and bandwidth cost, and public-key primitives such as digital signatures and public-key en- require minimal interaction. cryption. In fact, to the best of our knowledge, there is no standard General-purpose multi-party computation protocols can also be symmetric-key security notions in the distributed setting. used to solve the same problems by computing standard symmetric- Note that threshold authenticated encryption (TAE) is the ap- key encryption schemes inside an MPC (e.g. see [2, 65]). While this propriate and natural notion here as it would simultaneously solve approach has the benefit of preserving the original non-interactive the confidentiality and the authenticity problem, such that a - algorithm, the resulting protocols would be prohibitively interac- text generated by the TAE scheme could be both an authentica- tive, bandwidth-intensive, and would become increasingly expen- tion token and an encrypted message. Unfortunately, while defini- sive for larger number of parties. In this paper, we aim for two-round tions for threshold public-key encryption are well-understood (e.g. protocols where one server sends a message to other servers and see [22, 25, 29, 35, 68]), as we elaborate next, they fail to capture receives a response, while other servers need not exchange any important subtleties that only arise in the symmetric-key setting messages. This minimal interaction model minimizes coordination when considering standard AE notions of message privacy and between the servers and is ideal for low-latency applications. integrity. We review the MPC-based solutions and other related work on What truly separates TAE from threshold public-key encryption protecting cryptographic secrets through splitting them among is that in TAE a corrupted party should not be able to encrypt or multiple parties (i.e. secret sharing, threshold PKE and threshold decrypt messages on her own or even generate valid , PRFs) in the related work section (Section 3). without “being online” (i.e. without interaction with the honest parties in a distributed encryption/decryption protocol), and this 1.2 Our Contribution should hold even if the adversary engages in other distributed We formalize, design and implement new protocols for distributed encryption and decryption protocols. symmetric-key encryption. Our contributions can be summarized as Capturing all legitimate adversarial interactions in our security follows: games is quite critical and subtle. For example, note that unlike the non-interactive setting, chosen plaintext attack (CPA) security New security definitions. We initiate a formal study of authen- is not sufficient to capture message privacy in the distributed set- ticated encryption in the distributed setting. We propose novel ting where we need to guarantee message privacy not only in the message privacy and ciphertext integrity definitions for threshold presence of encryption queries but also during decryption queries authenticated encryption that captures the unique issues that arise initiated by the honest parties. In other words, the transcripts of in this setting, in presence of a malicious adversary that corrupts a such decryption queries should not reveal anything about the mes- subset of parties. sage being decrypted to the adversary. Second, unlike the standard Simple and lightweight protocols. We put forward a generic con- (non-interactive) ciphertext integrity notions where it is shown struction based on any distributed pseudorandom function (DPRF) that decryption queries cannot help the adversary and hence can in the standard model. The construction only assumes one-way be safely removed from the security game (e.g. see [18]), it is easy functions. to observe that allowing for decryption queries in the threshold − When we instantiate with multiple efficient DPRF construc- setting makes the adversary strictly stronger. For instance, con- tions from Naor et al. [59] and our enhanced variants, we sider a contrived threshold scheme where all parties contacted in derive a number of threshold authenticated encryption pro- the decryption protocol simply return their secrets. Clearly, this tocols with different security guarantees and efficiency levels scheme is not secure, but it would still satisfy a ciphertext integrity (see Figure 8). All our protocols are light-weight: they require notion that does not allow the adversary to invoke the decryption only two rounds of communication and incur minimal compu- protocol. tation and bandwidth cost. Specifically, the party interested in Finally, unlike the non-interactive case, defining what consti- encryption or decryption sends one request message to other tutes a valid forgery in the ciphertext integrity game is non-trivial parties and receives one response message in return (see Fig- since in the interactive setting where the adversary takes part in ure 1 for a visual depiction).1 In the most efficient instantiation, the encryption protocol, generated ciphertexts may not be well- defined or valid. We address all these subtleties and more inour 1This is in contrast with two-round MPC protocols (e.g. [58]) where typically in each round every participant broadcasts messages to everyone else. 2 such definitions, proposed in prior work for standard symmetric- Server-3 Contacted key encryption, are cumbersome to work with (e.g. see [56]). sk3 Server-2 Server-4 We remark that over the past two decades, a large body of work sk sk Not contacted 2 t 4 has considered various notions of security for standard authenti- k4 cated encryption [19–21, 27, 42, 52–54, 61–64, 64] to address many t t practical issues such as concrete security, nonce-misuse resistance, Server-1 Server-5 Client online security, and multi-user security. As the first work to formal- sk1 sk5 k1 k5 ize distributed authenticated encryption, we choose to focus on the traditional notion of AE security (i.e. message privacy + ciphertext DistEnc(m): integrity) as even extending this important notion to the threshold setting raises many new subtleties (as we will see shortly) that do − t ← commit(m) not exist in the non-interactive setting. We leave it for future work − k1, k4, k5 ← query(t, {1,4,5}) to extend threshold AE to the more advanced notions mentioned − k ← combine(k1, k4, k5) − c ← Enc(k, m) above. Figure 1: The flow of our distributed encryption protocol for n = 5 The . In the distributed setting, we consider an and t = 3. Client contacts servers 1, 4 and 5 to encrypt a message attacker who controls a subset of parties and behaves arbitrarily m. Servers do not communicate with each other. We show client malicious while the honest parties are connected via point-to-point separate from the servers for simplicity. A simplified outline of the secure channels. Moreover, to capture a more realistic scenario, we encryption protocol is given in the box. See Figure 2 for the actual steps. The flow of decryption protocol is similar to encryption but let the adversary choose its corruption set after receiving the public the steps involved are different. parameters of the scheme. As we will see shortly, this requires additional care in both the constructions and the security proof.

there are no public-key operations as parties only make PRF Threshold Symmetric-key Encryption. Analogous to its non-interactive calls and hashing. counterpart, we define a threshold symmetric-key encryption (TSE) − We provide the first formal analysis for both the PRF-based and scheme consisting of a setup algorithm Setup and two protocols, the DDH-based instantiations of the DPRF constructions given DistEnc and DistDec, for distributed encryption and decryption, in Naor et al. [59] by proposing a strong pseudo-randomness respectively. The scheme is parameterized by two positive integers property. We also formalize correctness of DPRFs in presence n and t, with n ≥ t ≥ 2 where n denotes the total number of par- of malicious corruption and extend their DDH-based construc- ties and t the threshold. We allow at most t − 1 corruptions which tion to satisfy this notion. is clearly optimal in this setting. Setup generates n private keys − Our protocols allow for an arbitrary threshold t such that only sk1,sk2,...,skn, one for each party, and some public parameters t − 1 other parties need to be contacted to encrypt or decrypt. pp. In DistEnc, one of the parties, called the encryptor, who holds a At the same time, the protocols are resilient to the corruption message, sends a request message to any t − 1 other parties in the of t − 1 parties (clearly, this is the best one could hope for). protocol. The participating parties use their respective secret-keys to compute their individual responses. At the end of the protocol, Implementation and Evaluation. We implement several variants only the encryptor learns a ciphertext. Analogously, in DistDec, of our protocols in C++ and perform extensive experiments to eval- one of the parties (decryptor) with a ciphertext performs a similar uate their performance for applications with high-throughput and process and learns the corresponding message. Note that we do low-latency requirements. Our most efficient instantiation achieves not assume that the same party plays the role of encryptor and a throughput of upto 1 million encryptions/decryptions per seconds, decryptor. Our consistency property requires that any subset of t or alternatively a sub-millisecond latency with upto 18 participating parties should be able to encrypt or decrypt. parties. We achieve this high level of performance through a variety of cryptographic optimization and system level engineering such as Correctness. The natural correctness requirement in the non- full use of hardware accelerated AES and instruction vectorization. interactive setting is that a ciphertext c generated by running an The result is a lightweight challenge-response protocol where only encryption algorithm on a message m must decrypt to m. But in one message is sent and received by the participating parties. the threshold setting where the adversary is malicious, defining correctness becomes more subtle. Informally, correctness requires 2 TECHNICAL OVERVIEW that a ciphertext that is generated by an honest encryptor but may involve corrupt parties in the encryption protocol can only be 2.1 Security Requirements decrypted (by an honest decryptor) to the correct message or results A primary contribution of this work is to a formal treat- in an abort (i.e. ⊥) even if the decryption involves corrupted parties. ment of symmetric-key authenticated encryption in the distributed This notion may already be sufficient for many applications. We also setting. formalize a stronger notion wherein any execution of an encryption Our definitions are inspired by the traditional game-based no- protocol that potentially involves malicious parties either produces tions of message privacy and ciphertext integrity for standard (i.e. a correct ciphertext (by correct we mean that an honest decryption non-interactive) symmetric-key encryption [20, 55, 64]. We inten- produces the original message) or results in an abort. In other tionally avoid the framework [28] because words, a valid ciphertext carries an implicit guarantee that an honest

3 decryption/verification will always be successful. Looking ahead, all corrupted parties; or (ii) it makes an indirect decryption query if we do not impose the stronger correctness requirement, our where an honest party initiates the decryption query using a cipher- instantiation is significantly faster—since to achieve the stronger text provided by the adversary; or (iii) makes an indirect decryption form of correctness we need non-interactive zero-knowledge proofs query using a ciphertext it does not know but that was previously (NIZK) that require more expensive public-key operations. generated via an indirect encryption protocol initiated by an hon- est party. The purpose of the third type (called targeted decryption Message Privacy. As discussed earlier, our definition has two queries) is to ensure that the decryption protocol initiated by an components, message privacy and ciphertext integrity (also called honest party does not leak the computed ciphertext to the adversary authenticity). In the non-interactive case, message privacy is defined if it is the result of an earlier encryption by an honest party. To via a chosen plaintext attack (CPA) game where the adversary capture this, we do not count these ciphertexts towards adversary’s can engage in encryption queries before and after the challenge forgery budget; in particular, the adversary wins the game if it out- phase where the challenge stage consists of guessing between the puts one of them as a forgery. In fact, the only decryption queries ciphertexts for two adversarially chosen messages. that we count towards adversary’s forgery budget are of the first In the threshold setting, we allow for two types of encryption type, i.e. those initiated by the adversary itself. See Remark 6.11 for queries in the message privacy game. First, the adversary can ini- a more detailed discussion and how even this can be avoided at the tiate its own encryption queries using messages of its choice and cost of more expensive constructions. obtain both the final ciphertext as well as the transcripts ofthe parties it corrupts (and influence their actions during encryption). One-More Ciphertext Integrity. To define a successful forgery Second, we allow the adversary to perform indirect encryption in the usual non-interactive setting, one could just say that the queries where it invokes an honest party to initiate an encryption adversary must produce a ciphertext that is different from the ones query using an adversary-chosen message and let the adversary it receives from the encryption oracle [20, 55]. Alternatively, in the learn the ciphertext (despite the fact that the TSE encryption would case of unified definitions64 [ ], the adversary is restricted from not necessarily leak the ciphertext to the adversary). This captures querying the decryption oracle with a ciphertext it received from scenarios where the application using the service may unintention- the encryption oracle2. Unfortunately, one cannot take a similar ally leak ciphertexts to the adversary (e.g. a cloud storage compro- approach in the distributed setting. If the adversary initiates an mise or authentication token leakage). We then observe that this encryption session that involves malicious parties, the output of is not sufficient to capture full message privacy in the distributed the session (a ciphertext) may not be available to the honest parties setting. In particular, even decryption queries initiated by honest even if they are involved. Thus, it is not clear how to explicitly parties should preserve message privacy in presence of a malicious define the ciphertext learned by the adversary and therefore no adversary who corrupts a subset of parties. Note that this issue straightforward way to prevent the adversary from claiming such does not arise in the non-interactive case where decryption queries ciphertext as a valid forgery. always reveal the message. Hence, we allow these indirect decryp- To circumvent the problem while keeping the definition simple, tion queries in our message privacy game and do not reveal the we keep track of the maximum number of ciphertexts, say k, the decrypted message to the adversary. In particular, an adversary adversary could learn (in an ideal sense) by interacting with honest could provide its challenge ciphertext to such an indirect decryp- parties and require that as his forgery, he outputs k + 1 distinct tion query and still should not be able to win the message privacy ciphertexts that successfully decrypt. This implies that at least one game. of the ciphertexts he outputs is a new and valid ciphertext. Ciphertext Integrity. In the ciphertext integrity game, the adver- 2.2 Our Generic Construction sary engages in both encryption and decryption queries, and then needs to create a new valid ciphertext (forgery). Several subtleties We provide a brief overview of our main construction but before arise when defining a valid forgery. Let us start with the different doing so, we discuss a few attempts that fail to meet our efficiency types of encryption/decryption queries. or security requirements. A more detailed discussion on the failed Similar to the message privacy game, both standard and indirect attempts can be found in the full version [17]. encryption queries are allowed. The ciphertexts resulting from the DPRF. All the constructions we discuss in this section use a former are naturally not considered forgeries since the corrupt Distributed Pseudorandom Function (DPRF) as a building block. A party is intended to learn it. However, in the indirect case where DPRF is a distributed analog of a standard PRF. It involves a setup an honest party initiates the encryption, the security game does where each party obtains their secret-key and the public parameters. not provide the adversary with the resulting ciphertext. As such, Evaluation on an input is performed collectively by any t parties the adversary is allowed to output the ciphertext of an indirect where t (≤ n) is a threshold. Importantly, at the end of the protocol, encryption query as a valid forgery if it manages to acquire one. only one special party (evaluator) learns the output. A DPRF should Therefore the TSE scheme is required to prevent such attacks by meet two main requirements: (i) consistency: the evaluation should making them unpredictable to him even while actively participating be independent of the participating set, and (ii) pseudorandomness: in the protocols. the evaluation’s output should be pseudorandom to everyone else Interestingly, we allow three types of decryption queries in the ciphertext integrity game. The adversary (i) either makes a stan- 2Under the unified definition, the adversary is supposed to distinguish between two worlds, a ‘real’ world where access to both encryption and decryption oracle is provided, dard decryption query where it initiates the decryption using a and an ‘ideal’ world where the encryption oracle is replaced with one that just returns ciphertext of its choice and learns the decryption and transcripts of random bits and the decryption oracle is replaced with one that just returns ⊥. 4 but the evaluator even if the adversary corrupts all other t − 1 change the key by mauling w to w ′ (and hence maul the ciphertext) parties and behaves maliciously. and decrypt e with w ′ to produce a valid message m′. The crux of In the malicious case, one can think of a slightly stronger prop- the problem is in giving the adversary the flexibility to choose the erty, called (iii) correctness, where after an evaluation involving up encryption key w without any checks or restrictions. to t − 1 malicious corruptions, an honest evaluator either receives Failed Attempt-2. the correct output or can detect the malicious behavior.3 Naor et Another natural approach to construct dis- r al. [59] propose two very efficient (two-round) instantiations of tributed threshold encryption is to (i) choose a random nonce , (ii) w (j,r ) w DPRF, one based only on symmetric-key cryptography and another compute a DPRF value on and (iii) use as a key for a stan- e = (m) based on the DDH assumption. We provide the first formal proof of dard authenticated encryption scheme AE to compute AEw . (j,r, e) security for these constructions under a strong pseudo-randomness The final ciphertext is . One can easily observe that, although requirement. These constructions, however, do not satisfy the cor- message private, this approach does not suffice for authenticity w rectness definition (against malicious adversaries). Interestingly, since an attacker can make a single encryption query to obtain we note that the recommended approach of obtaining correctness and use it to encrypt more valid messages without violating the by applying a NIZK to each message of the protocol runs into a security of the AE scheme. subtle technical issue, and show how to circumvent it by modifying Note that both attacks discussed above work even in the semi- the construction such that the public parameters provide a trapdoor honest setting since the corrupt parties behave honestly in all dis- commitment to the secret keys of the parties. tributed protocols. In fact, the above attempts fail to achieve even a much weaker notion of authenticity which does not allow decryp- Attempt-0: A four-round protocol. As discussed earlier, our goal tion queries. See the full version [17] for more details. is to obtain a two-round protocol where one party sends a mes- sage to others and receives a response. But it is helpful to review a Our Construction. At a high level, we use a DPRF scheme to first attempt that requires four rounds of interaction and meetsall generate a pseudorandom key w that is used to encrypt the message our security requirements. We assume a DPRF scheme is already m. But to avoid the recurring problem in the failed attempts above, setup. To encrypt a message m, parties evaluate the DPRF on a we need to ensure that an adversary cannot use the same w to random message r generated by the encryptor to obtain the output generate any other valid ciphertext. To do so, we bind w to the w. The encryptor then encrypts the message m using a CPA-secure message m (and the identity of party j). One way to achieve that is symmetric-key encryption with w as the secret-key to obtain a to use (j∥m) as an input to the DPRF. First, note that it is necessary ciphertext c. Parties then run the DPRF protocol one more time to put j inside the DPRF, otherwise a malicious attacker can easily on H (c) for a collision-resistance H, such that the obtain w by replaying the input of the DPRF in a new encryption encryptor obtains the tag t. Encryptor outputs (r,c, t) as the out- query and thereby recovering any message encrypted by an honest put of the encryption protocol. The decryption protocol works as encryptor. In the protocol we make sure each party checks if a expected by first recomputing and checking t and then recovering message of the form (j, ∗) is indeed coming from party j. Second, w to decrypt c. this does not suffice as it reveals m to all other parties during the It is worth noting that this construction is reminiscent of the encryption protocols originated by honest parties and as a result standard encrypt-then-MAC approach for obtaining an authenti- fails to achieve even message privacy. To overcome this, we instead cated encryption scheme, where in one invocation the DPRF is used input a commitment to m to the DPRF. The hiding property of to generate a fresh random key for encryption and in the second the commitment ensures that m remains secret, and the binding invocation it is used to compute a MAC on the ciphertext. Note that property of the commitment binds w to this particular message. To the encryption protocol requires two sequential calls to the DPRF enable the verification of the decommitment during the decryption, protocol, hence yielding four rounds of interaction. Interestingly, we need to also encrypt the commitment randomness along with to obtain a two-round protocol, we need to deviate from this and m. 4 design a protocol that roughly follows the MAC-then-encrypt para- This almost works except that the attacker can still generate digm but nevertheless meets our strong notions of security. Next valid new ciphertexts by keepingm, j and w the same and using new we review two 2-round proposals that fail to achieve our notions. randomness to encrypt m. We prevent this by making the ciphertext deterministic givenm andw: we inputw to a pseudorandom number Failed Attempt-1 [59]. The first (to the best of our knowledge) generator to produce a pseudorandom string serving as a “one-time proposal for a distributed encryption is due to Naor et al. [59] (NPR pad” that is used to encrypt m just by XOR’ing. in short). They propose to (i) first encrypt the message m locally to To summarize, our final construction can be informally described produce a ciphertext e = SEw (m) by a “standard” symmetric-key as follows: (i) the encryptor with identity j chooses a random ρ encryption scheme SE where the key w is chosen freshly at random; to compute α := Com(m; ρ) where Com is a commitment and (ii) then invoke the DPRF on the input (j∥e) for the encryptor to sends (j, α) to the participating parties, (ii) the participating parties obtain y, where j is the encryptor’s identity; (iii) finally mask the then first check if the message (j, α) is indeed sent by j (otherwise key w with y. The final ciphertext is of the form (j,y ⊕ w, e). Al- they abort) and then evaluate the DPRF on (j∥α) for the encryptor though this achieves message privacy, it fails to achieve authenticity to obtain the output w, (iii) finally, the encryptor computes e = since the adversary, after obtaining a valid ciphertext as above, can PRG(w) ⊕ (m∥ρ) and outputs the ciphertext (j, α, e). 3Looking ahead, our TSE protocol achieves strong authenticity, in which the adversary is involved in the decryption of the forgery, only if the underlying DPRF achieves 4In fact this already satisfies a weaker notion of plaintext integrity (see Remark 6.10) correctness. since the adversary cannot forge a ciphertext for a new message. 5 In Section 7 we show that the above construction achieves con- function’s output. Since its introduction in early 80s, MPC has sistency, message privacy and authenticity (ciphertext integrity) grown into a rich area with a number of different solutions of against a malicious adversary who corrupts up to t − 1 parties if various flavors. In the last decade or so, the performance of general- the underlying DPRF is consistent and pseudorandom. Moreover, if purpose MPC protocols (which allow arbitrary functions to be the underlying DPRF satisfies our correctness definition, then our computed) has improved substantially in both the two-party and TSE achieves strong authenticity. Note that given a DPRF, the only multi-party setting [3, 7, 8]. assumption required for the transformation is one-way functions. However, all general-purpose MPC protocols work with a cir- cuit representation of the function which seems to be an overkill 3 RELATED WORK to solve our specific problem. Furthermore, the communication We briefly discuss several related research directions with similar complexity of these protocols typically scales linearly with the size motivations. of the circuit and the number of parties. Finally, the number of rounds of interactions is often more than two6 for all practical Secret-sharing. Secret-sharing schemes can be used to share the MPC instantiations; and the protocols require all pairs of parties to key for symmetric-key encryption among multiple parties, say n. interact. Thus, a general-purpose MPC protocol for evaluating sym- They guarantee that even if up to n − 1 parties are compromised, no metric ciphers such as AES in any encryption mode [2, 32, 51, 65] information about the key is leaked. A popular is too expensive of a solution for many applications of distributed tool called Vault [13] takes this approach. It uses Shamir’s secret symmetric-key encryption. On the other hand, MPC-based solu- sharing [67] to split the master secret key into shards. According tions are advantageous in scenarios where the desired encryption to the documentation [14], “This allows each shard of the master scheme is fixed and cannot be changed by the application (dueto key to be on a distinct machine for better security.” In practice, compatibility with other components or a compliance requirement however, the master secret key is reconstructed from the shards to use standardized schemes such as AES) since MPC can be used when the Vault server is started, and remains in the memory of to securely compute arbitrary cryptographic functions. several—potentially, very weakly protected—parties for extended periods of time5. Certainly, Vault makes it easy for multiple appli- 4 PRELIMINARIES cations or services to share the same key material but, at the same In this paper, unless mentioned otherwise, we focus on challenge- time, does not reduce key exposure in a significant way. Effectively, response style two-round protocols: a party sends messages to instead of being stored in a permanent way on multiple parties, the some other parties and gets a response from each one of them. In key material lives in memory. particular, the parties contacted need not communicate with each Threshold PKE.. Threshold public-key encryption is a well-studied other. problem in cryptography [29, 34–36, 43, 59, 68]. Here, the decryp- Common notation. N tion key is shared among a set of parties such that at least a thresh- Let denote the set of positive integers. We n n ∈ N { , ,...,n} f old of them are needed to decrypt any ciphertext. In some sense, use [ ] for to denote the set 1 2 . A function : N → N negl p threshold PKE is an analog of the problem we study here. But as is negligible, denoted by , if for every polynomial , f (n) < /p(n) n D(x) = y discussed earlier, being a public-key notion, neither the security no- 1 for all large enough values of . We use : y = D(x) y deterministic tions nor the efficiency requirements meet those of symmetric-key or : to denote that is the output of the D x R(x) → y y ← R(x) applications. algorithm on input . Also, or denotes that y is the output of the randomized algorithm R on input x. R can Threshold Pseudorandom Functions. To the best of our knowl- be derandomized as R(x;r ) =: y, where r is the explicit random edge, the only threshold constructions designed for symmetric-key tape used by the algorithm. Finally, we write X ∼ DS to denote primitives are for pseudorandom functions [26, 37–40, 57, 59, 60]. a random variables X that follows a distribution D over a set S. This line of work is primarily focused on distributed PRFs (DPRF) For two random variables X and Y we write X ≈comp Y to denote with security in the standard model or additional properties such that they are computationally indistinguishable and X ≈stat Y as verifiability or key-rotation, but does not provide definitions or to denote that they are statistically close. Concatenation of two constructions for the more general case of symmetric-key encryp- strings a and b is either denoted by (a∥b) or (a,b). Throughout the tion. The only exception is the work of Naor et al. [59], which also paper, we use n to denote the total number of parties, t to denote proposes a mechanism for encrypting messages using their DPRF the threshold, and κ to denote the security parameter. We make the construction. But as we have discussed (c.f. Sec 2.1), their proposal natural identification between players and elements of {1,...,n}. fails to meet our definition of threshold authenticated encryption. We will use Lagrange interpolation for evaluating a polynomial. Nevertheless, we use Naor et al.’s DPRF constructions as the main For any polynomial P, the i-th Lagrange coefficient for a set S building block in our constructions and implementations. to compute P (j) is denoted by λj,i,S . Matching the threshold, we will mostly consider (t − 1)-degree polynomials, unless otherwise General-purpose MPC. Secure multi-party computation (MPC) mentioned. In this case, at least t points on P are needed to compute allows multiple parties to evaluate a function over their private any P (j). inputs without revealing anything about their inputs beyond the

5If not the master secret key itself, then at least the encryption key remains in memory. 6A recent surge of results [23, 44–47, 58] construct two round MPC protocols. However, The encryption key encrypts the actual data and the master key encrypts the encryption these constructions focus mainly on generic feasibility and minimizing assumptions key. We refer to the documentation for details. and are far from being practical.

6 Inputs and outputs. We write [j : x] to denote that the value x challenge input (up to the threshold). Third, it is not allowed to par- is private to party j. For a protocol π, we write [j : z′] ← π ([i : ticipate in computing the DPRF on the challenge input, which may (x,y)], [j : z],c) to denote that party i has two private inputs x help it in distinguishing the true DPRF value from random. (Note and y; party j has one private input z; all the other parties have no that this last attack makes sense only under an active corruption.) private input; c is a common public input; and, after the execution, We allow the adversary to do all of the above in the pseudo- ′ only j receives an output z . We write [i : xi ]∀i ∈S or more compactly randomness game, thus obtaining a much stronger security guar- x S to denote that each party i ∈ S has a private value xi . antee. Apart from consistency and pseudo-randomness, we also J K propose a correctness property which ensures that even if corrupt Network model. We assume that all the parties are connected by parties are involved in a DPRF computation, they cannot make point-to-point secure and authenticated channels. We also assume an honest party output a wrong value.7 We build on the construc- that there is a known upper-bound on the time it takes to deliver a tions of Naor et al. [59] to obtain these properties from our DPRF message over these channels. instantiations. Naor et al. [59], however, were mainly concerned with DPRF Adversary model. We allow an adversary to take control of up security against semi-honest adversaries. They provide a security to t − 1 parties and make them behave in an arbitrary manner (ac- definition and two different constructions for such adversaries. tive/malicious corruption). The set of corrupt parties is not known They mention briefly that using non-interactive zero-knowledge in advance, but we assume that it does not change during protocol (NIZK) proofs, one could make their DPRF constructions actively execution (static corruption). We use C to denote the set of parties secure. However, they do not give a formal security definition for under the control of an adversary A. active security. It turns out that a naive application of NIZK proofs Cryptographic primitives. We need some standard cryptographic is in fact not sufficient to obtain security against malicious partici- primitives to design our protocols. We need a (non-distributed) pants. We additionally need trapdoor commitments to satisfy the symmetric-key encryption scheme with algorithms Kgen, Encrypt stronger pseudo-randomness requirement proposed here. Further, and Decrypt; a trapdoor commitment scheme with algorithms the fact that adversaries can obtain DPRF partial outputs on the challenge input and participate in computing the challenge DPRF Setupcom, Com (that generates commitments), SimSetup and SimOpen; Shamir’s secret sharing scheme that takes integers n, t,p,s and out- value makes the proof more intricate. puts n shares of s ∈ Zp s.t. at least t are needed to recover s; and, a We now present a formal treatment of DPRF. Similar to NPR [59], non-interactive zero-knowledge argument-of-knowledge scheme we use a threshold t to capture the authorized subsets, i.e., any set with algorithms Prove and Verify (that get access to a hash func- of at least t parties can compute the function f . Security is provided tion H modeled as a random oracle). We define these primitives against any set of up to t − 1 corrupt parties. formally, along with the security properties we desire from them, Definition 5.1 (Distributed Pseudo-random Function). A distributed in the full version [17]. pseudo-random function (DPRF) DP is a tuple of three algorithms (Setup, Eval, Combine) who satisfy a consistency property. κ 5 DISTRIBUTED PSEUDO-RANDOM – Setup(1 ,n, t) → ((sk1,...,skn ),pp). The setup algorithm FUNCTIONS: DEFINITIONS generates n secret keys (sk1, sk2, ..., skn ) and public parame- Micali and Sydney introduced the notion of distributed pseudo- ters pp. The i-th secret key ski is given to party i. random functions in the mid 90s [57]. A DPRF distributes between – Eval(ski , x,pp) → zi . The Eval algorithm generates pseudo- n parties the evaluation of a function f which is an approximation random shares for a given value. Party i computes the i-th of a random function, such that only authorized subsets of parties share zi for a value x by running Eval with ski , x and pp. are able to compute f . A party who wants to compute f (x) sends – Combine({(i, zi )}i ∈S ,pp) =: z/⊥. The Combine algorithm x to the parties in an authorized subset and receives information combines the partial shares {zi }i ∈S from parties in the set which enables her to find f (x). A DPRF must be consistent in the S to generate a value z. If the algorithm fails, its output is sense that for all inputs x, all authorized subsets should lead to the denoted by ⊥. same value f (x). Consistency. For anyn, t ∈ N such that t ≤ n, all ((sk1,...,skn ),pp) ′ A number of constructions and variants have been proposed over generated by Setup(1κ ,n, t), any input x, any two sets S, S ⊂ [n] the course of more than two decades but they either involve multi- of size at least t, there exists a negligible function negl such that ple rounds of communication [37], extensive interaction [38, 60], Pr[Combine({(i, z )} ∈ ,pp) = consider only passive corruption [26, 59], or achieve stronger prop- i i S ′ erties which makes them more expensive [39]. Several pseudo- Combine({(j, zj )}j ∈S′ ,pp) , ⊥] ≥ 1 − negl(κ), randomness definitions have also been put forward in the literature, ′ where zi ← Eval(ski , x,pp) for i ∈ S, zj ← Eval(skj , x,pp) for but they are not very formal or general in most cases. There are j ∈ S ′, and the probability is over the randomness used by Eval. several attacks that are not explicitly captured by these definitions 7 (though the proposed constructions may be secure against them). This is a weaker requirement than robustness for DPRFs which guarantees that an honest party will receive the correct DPRF value. However, Dodis [37], for instance, First, the adversary is not allowed to choose the set of parties to assumes that the set of parties contacted by the honest party includes at least t honest corrupt based on the public parameters (the only exception we parties to achieve robustness (and the proposed protocol involves several rounds of know of is the definition proposed by Boneh et26 al.[ ]). Second, it communication). We do not make any such assumption. In fact, when the threshold is close to the total number of parties, there may not be enough honest parties to fulfill cannot obtain DPRF partial evaluations from honest parties on the the condition. 7 A DPRF is pseudorandom if no adversary can guess the PRF a special party j who will initiate the protocol, a set of parties value on an input for which it hasn’t obtained shares from at least t whom j will contact, and the input of j (message or ciphertext). The parties. It is correct if no adversary can generate shares which lead protocol will be executed as one would expect: challenger will play to an incorrect PRF value. These properties are defined formally in the role of all parties not in the control of adversary and exchange the full version [17]. messages with it on their behalf. If j is honest, then challenger will initiate the protocol, otherwise, the adversary will initiate it. Definition 5.2 (Security of DPRF). Let DP be a distributed pseudo- For 2-round protocols, the interaction between the challenger and random function. We say that DP is secure against malicious ad- adversary will be quite simple. If j is honest, then the challenger will versaries if it satisfies the pseudorandomness requirement17 [ , Def. send every message intended for a corrupt party to the adversary 5.3]. Also, we say that DP is strongly-secure against malicious ad- on behalf of j and wait to get a response from it. Challenger will versaries if it satisfies both the pseudorandomness and correctness then combine the response together with the response of honest [17, Def. 5.4] requirements. parties (which it generates itself) to get the final output. On the 6 THRESHOLD SYMMETRIC-KEY other hand, when j is corrupt, the challenger is just supposed to respond to the messages that adversary sends to the honest parties. ENCRYPTION: DEFINITIONS From here on, we will not be explicit about the details of a In this section, we introduce threshold symmetric-key encryption protocol execution. We will just state that an instance of encryption (TSE) and formalize notions of correctness, message privacy, and or decryption protocol is run when adversary requests for it. Also authenticity for such schemes. We start by specifying the algorithms note that although all the games below have separate encryption that constitute a TSE scheme. and decryption phases, this is only to make the definitions easy to Definition 6.1 (Threshold Symmetric-key Encryption). A thresh- read. The adversary is not restricted in this sense and can alternate old symmetric-key encryption scheme TSE is given by a tuple between encryption and decryption queries. (Setup, DistEnc, DistDec) that satisfies the consistency property Remark 6.3 (Relation with standard definitions). Note that below. our security notion can also be thought of as a generalization of κ – Setup(1 ,n, t) → ( sk [n],pp) : Setup is a randomized algo- standard (non-interactive) authenticated encryption. In particular, rithm that takes theJ securityK parameter as input, and outputs setting n = 1 and t = 0 one gets standard CPA-security from our n secret keys sk1,...,skn and public parameters pp. The i-th message privacy definition (Def. 6.6) and standard ciphertext integrity secret key ski is given to party i. from our authenticity definition (Def. 6.8). – DistEnc( sk [n], [j : m, S],pp) → [j : c/⊥] : DistEnc is a dis- tributed protocolJ K through which a party j encrypts a message 6.1 Correctness m with the help of parties in a set S. At the end of the protocol, A TSE scheme is correct if whenever DistEnc outputs a ciphertext c j outputs a ciphertext c (or ⊥ to denote failure). All the other for an input message m (i.e., it does not fail), then DistDec outputs parties have no output. either m or ⊥ when run with c as input. An adversary should not – DistDec( sk [n], [j : c, S],pp) → [j : m/⊥] : DistDec is a dis- be able to influence the decryption protocol to produce a message J K tributed protocol through which a party j decrypts a ciphertext different from m. We also consider strong-correctness which addi- c with the help of parties in a set S. At the end of the protocol, tionally requires that c should only decrypt to m (not even ⊥) when j outputs a message m (or ⊥ to denote failure). All the other decryption is performed honestly. parties have no output. Definition 6.4 (Correctness). A TSE scheme TSE := (Setup, DistEnc, Consistency. For any n, t ∈ N such that t ≤ n, all ( sk ,pp) [n] DistDec) is correct if for all PPT adversaries A, there exists a neg- output by Setup(1κ ), for any message m, any two setsJS, SK′ ⊂ [n] ligible function negl such that the following game outputs 1 with such that |S|, |S ′| ≥ t, and any two parties j ∈ S, j′ ∈ S ′, if all the probability at least 1 − negl(κ). parties behave honestly, then there exists a negligible function negl − κ sk , such that Initialization. Run Setup(1 ) to get ( [n] pp). Give pp to A. J K ′ ′ ′ − A Pr [j : m] ← DistDec( sk [n], [j : c, S ],pp) | Corruption. Receive the set of corrupt parties C from , where  J K |C| < t. Give the secret-keys {ski }i ∈C of these parties to A. [j : c] ← DistEnc( sk [n], [j : m, S],pp) ≥ 1 − negl(κ), − Encryption. Receive (Encrypt, j,m, S) from A where j ∈ S \ C J K  and |S| ≥ t. Initiate the protocol DistEnc from party j with where the probability is over the random coin tosses of the parties inputs m and S. If j outputs ⊥ at the end, then output 1 and involved in DistEnc and DistDec. stop. Else, let c be the output ciphertext. ′ ′ ′ ′ Definition 6.2 (Security of TSE). Let TSE be a threshold symmetric- − Decryption. Receive (Decrypt, j , S ) from A where j ∈ S \C ′ ′ key encryption scheme. We say that TSE is (strongly)-secure against and |S | ≥ t. Initiate the protocol DistDec from party j with ′ malicious adversaries if it satisfies the (strong)-correctness (Def. inputs c, S and pp. ′ 6.4), message privacy (Def. 6.6) and (strong)-authenticity (Def. 6.8) − Output. Output 1 if and only if j outputs m or ⊥. requirements. A strongly-correct TSE scheme is a correct TSE scheme but with a In the security requirements that follow, the adversary is allowed different output step. Specifically, output 1 if and only if: to make encryption and decryption queries. In a query, it will specify − If all parties in S ′ behave honestly, then j′ outputs m; or, 8 − If corrupt parties in S ′ deviate from the protocol, then j′ out- − Post-challenge encryption queries. Repeat pre-challenge encryp- puts m or ⊥. tion phase. − Post-challenge indirect decryption queries. Repeat pre-challenge Remark 6.5 (Correctness for different applications). In ap- decryption phase. plications like key management, ciphertexts generated at some point − Guess. Finally, A returns a guess b′. Output b′. may be decrypted much later when the plaintext is no longer available. In such cases, malformed ciphertexts must be immediately detected, Remark 6.7. When DistEnc is run in the challenge phase with hence strong correctness is needed. In applications like network au- S⋆∩C , ∅, corrupt parties can easily cause the protocol to fail, leading thentication (Kerberos) or IoT-based payments where ciphertexts are j⋆ to output ⊥. The definition above ensures that the probability that typically decrypted shortly after encryption, the weaker notion of TSE this happens cannot depend on the message mb . suffices. In such cases, the outcome of decryption is known immedi- ately and, if it is a failure, one can run another encryption session 6.3 Authenticity with a different set of parties. As discussed in the overview section (Section 2.1), we cannot di- rectly generalize the standard (non-interactive) authenticity defini- 6.2 Message privacy tion to our setting for multiple reasons. First, the ability to make We allow for two types of encryption queries in the message privacy decryption queries gives additional power to the adversary. Second, game: 1) the adversary can initiate an encryption session to obtain ciphertexts generated in indirect encryption and decryption queries both the final ciphertext as well as the transcripts of the parties should remain unpredictable to the adversary or else they would it corrupts. 2) it can make an indirect encryption query where it enable successful forgeries. Thus, the definition we present below invokes an honest party to initiate an encryption session using a departs significantly from the non-interactive version. message of its choice. To make the definition stronger, we provide In the definition, the variable д captures the minimum num- the ciphertext output by the honest party to the adversary. ber of honest parties an adversary must contact in order to get However, this alone is not sufficient to capture full message enough information to generate one ciphertext. The variable ct privacy in the distributed setting. A decryption session initiated by counts the total number of times honest parties are contacted in an honest party on any ciphertext of adversary’s choice (including encryption/decryption protocols initiated by corrupt parties. Thus, the challenge) should not reveal what the decrypted message is the definition requires that an efficient adversary should onlybe either. Thus, we must allow the adversary to make such queries as able to produce ⌊ct/д⌋ ciphertexts at the end of the game. well. We present two variants of the definition. In the first notion, the forged ciphertexts output by an adversary at the end of the game Definition 6.6 (Message privacy). A TSE scheme TSE := (Setup, are decrypted in an honest manner, i.e., all the parties involved in DistEnc, DistDec) satisfies message privacy if for all PPT adversaries decryption follow the protocol. On the other hand, our stronger au- A, there exists a negligible function negl such that thenticity notion allows the adversary to influence the decryption κ process. A forged ciphertext that may otherwise not decrypt suc- Pr MsgPrivTSE, A (1 , 0) = 1 − f g cessfully, could be decryptable if corrupt parties manipulate their Pr MsgPriv (1κ , 1) = 1 ≤ negl(κ), TSE, A responses. Thus, there could be ciphertexts that are valid forgeries f g in the strong authenticity game but not in the standard one. where MsgPriv is defined below. Recall that a targeted decryption query provides a way for an κ , MsgPrivTSE, A (1 b): adversary to ask an honest party to initiate a decryption session on κ − Initialization. Run Setup(1 ,n, t) to get ( sk [n],pp). Give pp a ciphertext that was previously generated by some honest party, to A. J K since such a ciphertext may not be available to the adversary. Just − Corruption. Receive the set of corrupt parties C from A, where as in regular encryption/decryption sessions initiated by honest |C| < t. Give the secret keys {ski }i ∈C of these parties to A. parties, the counter ct is not updated in a targeted decryption ses- − Pre-challenge encryption queries. In response to A’s encryption sion because we want to capture that the adversary does not get query (Encrypt, j,m, S), where j ∈ S and |S| ≥ t, run an any useful information towards generating new ciphertexts in such instance of the protocol DistEnc with A8. If j < C, then party a session. j initiates the protocol with inputs m and S, and the output of Definition 6.8 (Authenticity). A TSE scheme TSE := (Setup, DistEnc, j is given to A. Repeat this step as many times as A desires. DistDec) satisfies authenticity if for all PPT adversaries A, there − Pre-challenge indirect decryption queries. In response to A’s exists a negligible function negl such that decryption query (Decrypt, j,c, S), where j ∈ S \C and |S| ≥ t, κ party j initiates DistDec with inputs c and S. Repeat this step Pr AUTHTSE, A (1 ) = 1 ≤ negl(κ), as many times as A desires. f g ⋆ ⋆ where AUTH is defined below. − Challenge. A outputs (Challenge, j ,m0,m1, S ) where |m0| = ⋆ ⋆ ⋆ κ |m1|, j ∈ S \ C and |S | ≥ t. Initiate the protocol DistEnc AUTHTSE, A (1 ): from party j⋆ with inputs m and S⋆. Give c⋆ (or ⊥) output κ b − Initialization. Run Setup(1 ,n, t) to get ( sk [n],pp). Give pp ⋆ A J K by j as the challenge to . to A. Initialize a counter ct := 0 and an ordered list Lctxt := ∅. 8Note that j can be either honest or corrupt here. So both types of encryption queries Below, we assume that for every query, the (j, S) output by A are captured. are such that j ∈ S and |S| ≥ t. 9 − Corruption. Receive the set of corrupt parties C from A, where One can modify our construction to satisfy an even stronger no- |C| < t. Give the secret keys {ski }i ∈C of these parties to A. De- tion where even decryption queries initiated by the adversary are fine the gap between the threshold and the number of corrupt not counted towards its forgery budget. For example, in parallel to parties as д := t − |C|. evaluating the DPRF on j∥α, a threshold signature on the same input − Encryption queries. On receiving (Encrypt, j,m, S) from A, can be computed. Then, during decryption, parties first check the va- run the protocol DistEnc with m, S as the inputs of j. If j ∈ C, lidity of the signature before responding with their partial share of the increment ct by |S \ C| (number of honest parties in S). Else, DPRF value. However, adding an invocation of a threshold signature append the ciphertext output by j to Lctxt. scheme to DiSE would be a significant overhead and would eliminate − Decryption queries. On receiving (Decrypt, j,c, S) from A, run the possibility of a symmetric-key only solution. the protocol DistDec with c, S as the inputs of j. If j ∈ C, increment ct by |S \ C|. 7 OUR CONSTRUCTION: DiSE − Targeted decryption queries. On receiving (TargetDecrypt, j, ℓ, S) In this section, we put forward our main construction DiSE, based from A for some j ∈ S \C, run DistDec with c, S as the inputs on any DPRF. A full description of the construction is provided in of j, where c is the ℓ-th ciphertext in Lctxt. Figure 2. (See Section 2.2 for an overview.) We prove that if the − Forgery. Let k := ⌊ct/д⌋. A outputs ((j1, S1,c1), (j2, S2,c2), ..., DPRF is (strongly) secure, then DiSE is (strongly) secure too. (jk+1, Sk+1,ck+1)) such that j1,..., jk+1 < C and cu , cv for u v ∈ k + any , [ 1] (ciphertexts are not repeated). For every Ingredients: i ∈ [k + 1], run an instance of DistDec with c , S as the input i i − An (n, t )-DPRF protocol DP := (DP.Setup, Eval, Combine) (Def. 5.1). j S of party i . In that instance, all parties in i behave honestly. − A pseudorandom generator PRG of polynomial stretch. Output 0 if any ji outputs ⊥; else output 1. − A commitment scheme Σ := (Σ.Setup, Com). A TSE scheme satisfies strong-authenticity if it satisfies authentic-   Setup(1κ, n, t ) → sk , pp : Run DP.Setup(1κ, n, t ) to get ity but with a slightly modified AUTH: In the forgery phase, the [n] J K κ ((rk1,..., rkn ), pp ) and Σ.Setup(1 ) to get ppcom. Set ski := rki for restriction on corrupt parties in Si to behave honestly is removed DP i ∈ [n] and pp := (pp , pp ). (for all i ∈ [k + 1]). DP com DistEnc( sk [n], [j : m, S], pp) → [j : c/⊥]: To encrypt a message m with Remark 6.9 (Authenticity for different applications). When J K the help of parties in S: protecting data at rest, an application may require that both encryp- − , tion and decryption are distributed. If adversary can also interfere Party j computes α := Com(m ppcom; ρ) for a randomly chosen ρ and sends α to all parties in S. with decryption, the stronger version of authenticity should be used. − For every i ∈ S, party i runs Eval(ski, j ∥α, pp) to get zi , and sends In case of authentication tokens generated for an external service, the it to party j. decryption is likely to be performed by a third party who holds the full − Party j runs Combine({(i, zi )}i∈S, pp) to get w or ⊥. In the latter key in a secure environment. Hence, the weaker notion of authenticity case, it outputs ⊥. Otherwise, it computes e := PRG(w ) ⊕ (m ∥ρ) and may suffice. then outputs c := (j, α, e).

As we will see later, our TSE construction requires a stronger prop- ′ ′ DistDec( sk [n], [j : c, S], pp) → [j : m/⊥]: To decrypt a ciphertext c erty from the underlying DPRF to achieve the stronger form of au- J K thenticity and as a result require the use of zero-knowledge proofs, with the help of parties in S: ′ but the normal form of authenticity can be achieved without it. − Party j first parses c into (j, α, e). Then it sends j ∥α to all the parties in S. Remark 6.10 (Integrity of plaintexts). In the non-interactive − For i ∈ S, party i receives x and checks if it is of the form j⋆ ∥α ⋆ setting for authenticated encryption, a weaker form of INT-CTXT, for some j⋆ ∈ [n]. If not, then it sends ⊥ to party j′. Else, it runs ′ called integrity of plaintexts (INT-PTXT) [20], has also been studied. Eval(ski, x, pp) to get zi , and sends it to party j . ′ If a forged ciphertext decrypts to a message encrypted earlier by the − Party j runs Combine({(i, zi )}i∈S, pp) to get w or ⊥. In the latter adversary, then it is not considered a valid forgery in the INT-PTXT case, it outputs ⊥. Otherwise, it computes m ∥ρ := PRG(w ) ⊕ e and game. One can also weaken our authenticity definition in a similar checks if α = Com(m, ppcom; ρ). If the check succeeds, it outputs m; otherwise, it outputs ⊥. fashion: a sequence of ℓ forgeries would be accepted only if they decrypt to ℓ unique messages. See Lemma 7.4 for how this notion Figure 2: DiSE: our threshold symmetric-key encryption protocol. comes up in the distributed setting. Theorem 7.1. The TSE scheme DiSE of Figure 2 is (strongly)-secure Remark 6.11 (Updating counter for decryption). In our cur- if the underlying DPRF DP is (strongly)-secure. rent authenticity definitions, we increment the counter ct only for decryption queries initiated by the adversary (not for indirect or tar- Proof. The proofs of consistency and correctness are not hard geted queries), implying that a ciphertext the adversary could deduce to observe and deferred to the full version [17]. from such an interaction is not considered a successful forgery. Though Lemma 7.2 (Strong-correctness). If DP satisfies the correctness it may seem at first that we are increasing the attack surface (note property, then DiSE is a strongly-correct TSE scheme. that direct encryption queries are already counted towards this), the extra information leakage may not make a significant difference in Proof. For a TSE scheme to be strongly-correct, we also need practice, especially when applications restrict and/or log who initiates that if all the parties involved in decryption behave honestly, then a decryption and what can be decrypted by whom. ciphertext c := (j, α, e), where e := PRG(w) ⊕ (m∥ρ), generated by 10 an honest party (possibly involving some corrupt parties) should Lemma 7.5 (Strong-authenticity). If DP is a strongly-secure decrypt to the right message with high probability. Now the cor- DPRF, then DiSE is a TSE scheme that satisfies strong-authenticity. rectness property of DP guarantees that if all the parties involved Proof sketch. Strong authenticity gives additional power to the in decryption are honest w ′ obtained through Combine during adversary. In the decryption of forged ciphertexts, corrupt parties decryption will be the same as the w obtained during encryption can deviate from the protocol arbitrarily. Thus, unlike above, con- except with negligible probability (as the input to the DPRF is the sistency of DP alone would not suffice. Using both consistency and same j∥α). Therefore, PRG(w ′) ⊕ e in the last step of decryption correctness though, one can argue that even if c , c are decrypted would give PRG(w ′) ⊕ PRG(w) ⊕ (m∥ρ) = m∥ρ. □ 1 2 with different sets of parties, the recovered DPRF values w1, w2 are For the following three lemma, we provide a sketch here and either the same or ⊥. In the latter case, AUTH clearly outputs 0, defer formal proofs to the full version [17]. and, in the former, it outputs 0 for the same reason as above. Lemma 7.3 (Message privacy). If DP is a secure DPRF, then DiSE The rest of the proof is similar to the one for weak-authenticity is a message-private TSE scheme. with some minor changes in how the pseudorandomness guarantee is reduced to authenticity. □ □ Proof sketch. The challenge ciphertextc⋆ has the form (j⋆, α⋆, e⋆) ⋆ ⋆ ⋆ ⋆ ⋆ where e = PRG(w ) ⊕ (mb ∥ρ ), α = Com(mb ,ppcom; ρ ) and Remark 7.6 (Key-management application). As discussed in ⋆ ⋆ ⋆ w is the output of DPRF DP on j ∥α . One can think about the the introduction (c.f. Section 1), a main motivation of this work masking with PRG as a symmetric-key encryption using a stream is to strengthen the security of key-management applications like cipher. So, an adversary A will find it computationally hard to Hashicorp Vault [13]. For such applications, DiSE should be viewed ⋆ guess b if w is indistinguishable from random. The pseudoran- as distributing the role of the key-manager itself. Multiple servers domness property of DP ensures this as long as A has no way of would keep shares of the master secret key (which is used to encrypt ⋆ ⋆ ⋆ evaluating the DPRF on j ∥α itself. (Note that α does not reveal various types of secrets) and know about each other’s identity. Clients information about mb due to the hiding property of Σ.) of the key-management application would need to authenticate via a If a corrupt party initiates an encryption protocol, then A can separate mechanism. learn j∥α⋆ for any j because α⋆ is not hidden from it, but j would never be equal to j⋆ since j⋆ is an honest party. On the other hand, 8 DPRF INSTANTIATIONS even if A asks party j⋆ to initiate encryption, j⋆ would compute In this section, we revisit the distributed pseudo-random function DPRF on a value α α⋆ due to the binding property of Σ. As a , (DPRF) constructions of Naor, Pinkas, and Reingold [59] (henceforth result, no matter how an encryption query is crafted, A cannot NPR) and study the properties defined in Section 5. compute the DPRF on j⋆∥α⋆. □ NPR proposed two different instantiations of DPRF, one based Lemma 7.4 (Authenticity). If DP is a secure DPRF, then DiSE is on the decisional Diffie-Hellman assumption (DDH) and another a TSE scheme that satisfies authenticity. based on any PRF. They showed that their constructions are secure against semi-honest adversaries, and briefly discussed how the first Proof sketch. Among the forged ciphertexts output by adversary, construction (DDH-based) could be extended to the malicious set- suppose there are two ciphertexts c1, c2 (c1 , c2) with the same j ting. Below, we present the two instantiations in their original form, and commitment α. When these two are decrypted with possibly and show that both achieve our pseudorandomness requirement different sets of parties, the DPRF value recovered would bethe against malicious adversaries. As discussed in Section 5, our defini- same due to the consistency property of DP (it is assumed that tion captures several attacks that were not considered before. Thus, all parties involved in decryption behave honestly). As a result, the proofs require significantly more care. Further, building onthe (m1, ρ1) and (m2, ρ2) recovered from c1 and c2, respectively, would idea mentioned in NPR, we strengthen the DDH-based construc- be different. Due to the binding property of Σ, α cannot be a com- tion with a NIZK proof (specifically, Schnorr’s proof [31, 66] via mitment to both. Hence, decryption of at least one of c1, c2 fails, the Fiat-Shamir transform [41]) to obtain strong security. However, and AUTH outputs 0. Therefore, if an adversary must succeed, each it turns out that in addition to the application of NIZKs, we need to of the k + 1 ciphertexts must have unique (j, α). use trapdoor commitments to commit to secret key shares of parties Recall that a valid adversary is allowed to contact honest parties in order to achieve our stronger pseudorandomness property. We strictly less than k · д number of times. So one can find at least one also briefly discuss how to strengthen the PRF-based construction (j, α) among the forged ciphertexts for which adversary has not to make it strongly secure using only symmetric-key primitives. contacted д parties. Due to the pseudorandomness property of DP, We only state the theorems here formally and defer the proofs to the adversary does not know the value of DPRF on (j, α). Hence, it the full version [17]. can not produce a valid ciphertext with it. Note that if parties involved in the decryption of forged ci- 8.1 DDH-based construction phertexts are allowed to act maliciously, we cannot invoke DPRF’s NPR’s first DPRF is based on any multiplicative group G of prime consistency property. However, the adversary would still not be order p in which DDH holds. The PRF functionality being computed able to make sure that c , c decrypt successfully to two distinct 1 2 collectively can be written as f (x) = H (x)s , where H : {0, 1}∗ → G messages because the commitment is binding. Thus, DiSE can be s is a hash function (modeled as a random oracle) and the key is shown to satisfy a strong notion of an INT-PTXT-style definition s ∈ Z . To distribute the evaluation of f , the secret key s must be in the distributed setting (see Remark 6.10). □ p secret shared between the parties. 11 ⟨ ⟩ In the setup phase, a trusted party samples a master key s ←$ Zp Parameters: Let G = д be a multiplicative cyclic group of prime ∗ and uses Shamir’s secret sharing scheme with a threshold t to create order p in which the DDH assumption holds, H : {0, 1} → G and H ′ : {0, 1}∗ → {0, 1}poly(κ ) be two hash functions modeled as n shares s1,...,sn of s. Share si is given privately to the party i. We random oracles. Let SSS be Shamir’s secret sharing scheme TDC := know that for any set S of ℓ ≥ t parties S := {i1,...,iℓ } ⊆ [n], there (Setupcom, Com) be a trapdoor commitment scheme, and NIZK := exists integers (i.e. Lagrange coefficients) λ0,1,S ,..., λ0,ℓ,S ∈ Zp ′ ′ (ProveH , VerifyH ) such that P s λ = s. Therefore, it holds that be a simulation-sound NIZK proof system. j ∈S ij 0, j,S κ − Setup(1 , n, t ) → ( sk [n], pp). Sample s ←$ Zp and get ℓ ← J K κ Pℓ Y  λ , j,S (s1,..., sn ) SSS(n, t, p, s). Run Setupcom (1 ) to get ppcom. s j=1 λ0, j,S sij sij 0 fs (x) = H (x) = H (x) = H (x) , Compute a commitment γi := Com(si, ppcom; ri ) by picking ri i=1 at random. Set pp = (p, д, G, γ1,..., γn, ppcom), ski := (si, ri ) which can be computed in a distributed manner running the proto- and give ski to party i, for i ∈ [n]. − → si col ΠDDH-DP as shown in Figure 3. This protocol satisfies pseudo- Eval(ski, x, pp) zi . Compute w := H (x ) and hi := w . Run H ′ s randomness definition but not correctness. Formally: Prove with the statement stmti : {∃s, r s.t. hi = w ∧ γi = Com(s, ppcom; r )} and witness (si, ri ) to obtain a proof πi . Output ((w, h ), π ). Parameters: Let G = ⟨д⟩ be a multiplicative cyclic group of prime order i i ∗ − Combine({(i, zi )}i∈S, pp) =: z/⊥. If |S | < t, output ⊥. Else, p in which the DDH assumption holds and H : {0, 1} → G be a hash H ′ function modeled as a random oracle. Let SSS be Shamir’s secret sharing parse zi as ((w, hi ), πi ) and check if Verify (stmti, πi ) = 1 ∈ ⊥ scheme. for all i S. If check fails for any i, output . Else, output λ0,i,S κ i∈S h . − Setup(1 , n, t ) → ( sk [n], pp) : Sample s ←$ Zp and get i (s ,..., s ) ← SSS(nJ, t,Kp, s). Set pp := (p, д, G) and sk := s 1 n i i Figure 4: A strongly secure DPRF protocol ΠZK-DDH-DP based and give (ski, pp) to party i, for i ∈ [n]. sk on DDH. Differences from ΠDDH-DP are highlighted in blue. − Eval(ski, x, pp) → zi : Compute w := H (x ), hi := w i and Parameters: Let G = ⟨д⟩ be a multiplicative cyclic group of prime order p in output hi . ∗ ′ ∗ which the DDH assumption holds, H : {0, 1} → G and H : {0, 1} → Zp − Combine({(i, zi )}i∈S, pp) =: z/⊥ : If |S | < t, output ⊥. Else, λ be hash functions. Let SSS be Shamir’s secret sharing scheme. ∈ Q 0,i,S parse zi as (hi ) for i S. Output i∈S hi . κ − Setup(1 , n, t ) → ( sk [n], pp). Sample s ←$ Zp and get J K Figure 3: A secure DPRF protocol ΠDDH-DP based on DDH. (s1,..., sn ) ← SSS(n, t, p, s). Sample a generator h of G at random. si ri Compute a commitment γi := д · h to si by picking ri ←$ Zp . Set ′ Theorem 8.1. Protocol ΠDDH-DP in Figure 3 is a secure DPRF pp = (p, д, G, H, H , γ1,..., γn, h), ski := (si, ri ) and give ski to under the DDH assumption in ROM. party i, for i ∈ [n]. s − Eval(ski, x, pp) → zi . Compute w := H (x ) and hi := w i . Pick Strong security. Adding trapdoor commitments and NIZK proofs ′ ′ vi ′ vi vi vi, vi ←$ Zp and set ti := w , ti := д · h . Compute a hash in the RO model (for a statement slightly different from the one ′ ′ ′ ′ ci := H (hi, w, γi, д, h, ti, ti ), ui := vi −ci ·si and ui := vi −ci ·ri . suggested by NPR) appropriately to ΠDDH-DP, we obtain the proto- ′ Define πi to be (ci, ui, ui ) and output ((w, hi ), πi ). col ΠZK-DDH-DP, described in detail in Figure 4. This protocol also − Combine({(i, zi )}i∈S, pp) =: z/⊥. If |S | < t, output ⊥. Else, parse satisfies correctness and hence achieves strong security. Formally: ′ ui ci ′ zi as ((w, hi ), (ci, ui, ui )) for i ∈ S. Compute ti := w · hi , ti := ′ c дui · hui · γ i and check if c = H ′(h , w, γ , д, h, t , t ′). If check Theorem 8.2. Protocol ΠZK-DDH-DP in Figure 4 is a strongly se- i i i i i i Q λ0,i,S cure DPRF under the DDH assumption in ROM. fails for any i ∈ S, output ⊥. Else, output i∈S hi .

An efficient way to instantiate trapdoor commitments andNIZK Figure 5: A concrete instantiation of the protocol ΠZK-DDH-DP arguments of knowledge (in the random oracle model) is via Peder- from Figure 4 using Pedersen commitment and Schnorr- sen commitments and Fiat-Shamir transformation on Schnorr-style style proof (via the Fiat-Shamir transform). proofs. We give this concrete version of ΠZK-DDH-DP in Figure 5 and Parameters: Let G = ⟨д⟩ be a multiplicative cyclic group of prime order p in ∗ ′ ∗ use it for our experiments in the following section. The concrete which the DDH assumption holds, H : {0, 1} → G and H : {0, 1} → Zp protocol remains secure under DDH (in random oracle model). be hash functions. Let SSS be Shamir’s secret sharing scheme. κ − Setup(1 , n, t ) → ( sk [n], pp). Sample s ←$ Zp and get Remark 8.3. Besides correctness, protocol of Figure 4 has the addi- J K ′ (s1,..., sn ) ← SSS(n, t, p, s). Set pp = (p, д, G, H, H ), ski := tional property that each party’s proof can be publicly verified, i.e. the s s (si, д 1,..., д n ) and give ski to party i, for i ∈ [n]. Combine algorithm only takes public inputs and the public messages s − Eval(ski, x, pp) → zi . Compute w := H (x ) and hi := w i . sent/received. In particular, even an external party who does not hold vi Pick vi ←$ Zp and set ti := д . Compute a hash ci := ′ s any secrets, given the partial DPRF values and the NIZK proofs, can H (hi, w, д i , д, ti ) and ui := vi − ci · si . Define πi to be (ci, ui ) publicly verify that the DPRF was computed correctly. This may be and output ((w, hi ), πi ). useful in applications where an external party wants to verify the − Combine(skj, {(i, zi )}i∈S, pp) =: z/⊥. If |S | < t, output ⊥. Else, ui ci correctness of a token. But if we settle for strong correctness with only parse zi as ((w, hi ), (ci, ui )) for i ∈ S. Compute ti := w · hi and ′ s s private verifiability, we can obtain a more efficient protocol. Inpar- check if ci = H (hi, w, д i , д, ti ) (д i is part of skj ). If check fails Q λ0,i,S ticular, instead of publicly committing to the secret keys, each party for any i ∈ S, output ⊥. Else, output i∈S hi . can be given дsi for all i as part of its secret key in the setup, and Figure 6: A privately verifiable version of the protocol from the Schnorr-based NIZK can be simplified to reduce the number of Figure 5. required exponentiations. In the experiment section we implement both variants and show that the privately verifiable version is 25% 12 Parameters: Let f : {0, 1}κ × {0, 1}∗ → {0, 1}∗ be a pseudo-random function. DPRF Instantiation Resulting TSE Assumption Model κ κ Γ − Setup(1 , n, t ) → ( SK [n], pp) : Pick k1, ..., kd ←$ {0, 1} where Πf-DP (Fig. 7) AES OWF Standard   J K d := n . Let D ,..., D be the d distinct (n−t +1)-sized subsets ΠDDH-DP (Fig. 3) ΓDDH DDH Standard n−t +1 1 d S of [n]. For i ∈ [n], let SKi := {kj | i ∈ Dj for j ∈ [d]}. Set pp := (f ) ΠZK-DDH-DP (Fig. 5) ΓDDH (Strong) DDH ROM ∈ PV and give (SKi, pp) to party i, for i [n]. ΠZK-DDH-DP (Fig. 6) ΓDDH (Strong) DDH ROM − → ∈ Eval(SKi, x, pp) zi : Compute hi,k := fk (x ) for all k SKi and Figure 8: The four TSE schemes we implemented by instantiating output {hi,k }k ∈SK . i DiSE. There are two concrete instantiations of ΠZK-DDH-DP, depend- − { } ⊥ | | ⊥ Combine( (i, zi ) i∈S, pp) =: z/ : If S < t, output . Else, parse zi ing on the verifiability feature (see Remark 8.3). { } ∈ { ′ } as hi,k k ∈SKi for i S. Let SKi i∈S be mutually disjoint sets such ′ ′ that ∪i∈S SKi = {k1,..., kd } and SKi ⊆ SKi for every i. Output ⊕ ∈ ′ ∈ hi,k . k SKi ,i S constructed from AES-NI. The DDH-based DPRF [59] uses the Mir- acl library [1] with Curve p256k1. Benchmarks were performed Figure 7: A secure DPRF protocol Πf-DP based on any PRF. on a single server equipped with two 18-core Intel Xeon CPUs at faster than the publicly verifiable version. A concrete construction is 2.3Ghz and 256GB of RAM. Parties communicate through a kernel provided in Figure 6. loopback device simulating two settings: LAN - 10 Gbps and 0.1ms (RTT) latency, WAN: shared 40 Mbps and 80ms latency. 8.2 PRF-based construction Throughput. Figure 9 shows the throughput and latency of our NPR also presented a DPRF construction based on any PRF, e.g. 9 protocols under a variety of configurations in the LAN setting. AES. To obtain an t-out-of-n threshold, this protocol incurs an Throughput measures the maximum number of operations that can min(t,n−t ) exponential overhead of O(n ). However, for n < 20 or be performed given that each party has a single core. Throughput is t ≈ n it can significantly outperform the previously described DDH an important metric for many tasks such as a key/token server or based construction (see Section 9).   per row database decryption. In the setup phase of the protocol, d := n random numbers n−t+1 The ΓAES protocol is the fastest by a large margin for all n ≤ 24 k1,...,kd are chosen. We assume that d is polynomial in the security despite having exponential overhead in the number of parties. For parameter so that all the DPRF algorithms are polynomial time. Let instance, encrypting 32 bytes with n = 6 and t = 4, ΓAES achieves 1 − D1,..., Dd be the d distinct (n t +1)-sized subsets of [n]. Then, the million encryption per second while ΓDDH, the next fastest, is 2000× i-th random number is given to all parties in the set Di . The DPRF slower with 556 encryptions. Increasing the parameters to n = Ld is defined as Fk (x) = i=1 fki (x), where f can be any PRF. Since 24, t = 16, ΓAES achieves 902 encryptions per second while ΓDDH all the d keys are needed to compute F , no set S of parties of size × S k is still 5 slower with 173 encryptions. The protocol ΓDDH which less than t can compute Fk by itself (at least one of the D1,..., Dd achieves strong correctness incurs a 2 to 5× overhead compared to subsets, say D , does not intersect with S; thus parties in S do not PV j the weaker ΓDDH while the publicly verifiable variant ΓDDH has, on have kj ). See Figure 7 for a formal description. average, 25% lower throughput.

Theorem 8.4. If f is a PRF, then Πf-DP in Figure 7 is a secure Latency. Another important metric is latency. That is, the time DPRF. from the start of an encryption/decryption until the result is ready. We defer the formal proof to the full version [17]. We also note Due to various system level optimization for improved latency, the that it is possible to augment this PRF-based construction into one throughput and latency results shown in Figure 9 are for differ- that satisfies strong correctness (hence strong security) using only ent configurations of the protocol, e.g. less vectorization which symmetric-key primitives. In particular, one could commit to the improves latency at the cost of a smaller throughput. ΓAES achieves PRF secrets during the setup, and require that each party provides sub-millisecond latency for most configurations. On the other hand, PV a symmetric-key NIZK of correctness of its evaluation with respect ΓDDH with its strong security guarantees achieves a latency be- to its committed secret keys using recent techniques [30, 50]. We do tween 10 and 100ms. not present such an instantiation since it would be quite inefficient. Communication. In addition to achieving the best throughput 9 EXPERIMENTAL EVALUATION and latency, the ΓAES protocol has the smallest communication overhead of 32(t −1) bytes per encryption. The ΓDDH incurs slightly When we combine the constructions of Section 7 and the DPRF in- more communication with 49(t − 1) bytes per encryption while stantiations of Section 8, we obtain four variants (two with strong S PV − ΓDDH and ΓDDH have the most communication with 148(t 1) bytes. security) of a threshold authenticated encryption scheme as de- However, despite having comparable communication overheads, picted in Figure 8. We remark that although our implementation the pure symmetric-key ΓAES protocol is significantly faster for uses a hash function modeled as a random oracle to implement the small n due to the use of much more efficient AES operations (in commitment scheme used in DiSE the construction itself is proven contrast to exponentiations). secure using any commitment scheme in the standard model. We implement all four variants of our protocol in C++. We im- . The primary advantage of the DDH-based protocols plement the random oracle as Blake2 [9] and the PRF/PRGs are S PV ΓDDH, ΓDDH and ΓDDH is that the key size is either constant (33 9 bytes) or linear in the threshold (33t bytes). The ΓAES protocol, Micali and Sydney provided a similar construction but for more general access struc- n tures [57]. on the other hand, requires that each party hold roughly t ≈ 13 Throughput Latency Bandwidth enc/s ms/enc Mbps t n ( ) ( ) (Throughput ) Γ Γ ΓS ΓPV Γ Γ ΓS ΓPV Γ Γ ΓS ΓPV AES DDH DDH DDH AES DDH DDH DDH AES DDH DDH DDH 6 1,095,770 556 232 189 0.1 4.6 9.3 10.5 268 0.28 0.29 0.28 12 656,728 382 99 77 0.3 4.4 15.9 18.8 481 0.53 0.37 0.35 n/3 18 45,434 297 64 46 0.6 5.4 21.5 27.6 55 0.77 0.40 0.35 24 902 173 34 31 7.5 11.2 36.4 43.1 2 0.69 0.30 0.34 4 1,113,090 555 235 190 0.1 4.7 9.2 10.1 272 0.13 0.30 0.29 6 510,152 527 146 112 0.2 4.0 11.9 14.3 249 0.26 0.44 0.34 n/2 12 198,020 300 64 48 0.7 5.2 21.2 26.1 242 0.37 0.47 0.36 18 10,194 231 42 31 1.1 8.0 31.3 38.8 20 0.45 0.50 0.37 24 165 125 22 22 38.0 15.9 54.5 69.6 0 0.33 0.38 0.36 3 1,100,413 561 239 190 0.1 3.9 10.7 18.6 269 0.14 0.30 0.29 6 1,033,592 399 101 75 0.4 4.2 15.0 18.6 757 0.29 0.38 0.34 2n/3 12 438,957 245 47 35 1.1 6.4 27.6 34.5 750 0.42 0.49 0.36 18 21,139 176 31 21 1.6 8.9 41.6 51.5 57 0.47 0.43 0.35 24 445 100 17 16 16.5 21.5 72.4 85.0 2 0.37 0.32 0.36 12 727,273 203 37 34 1.4 7.37 33.1 44.7 1598 0.45 0.42 0.36 n − 2 18 524,109 135 23 17 2.2 12.6 55.2 66.2 1919 0.49 0.43 0.38 24 283,822 75 12 10 5.6 28.0 98.9 116.4 1455 0.38 0.32 0.31 12 1,058,574 556 235 189 0.1 4.6 9.56 10.0 258 0.14 0.30 0.29 2 18 1,037,703 553 226 188 0.1 4.6 9.6 10.3 253 0.14 0.28 0.28 24 735,294 404 176 151 2.2 4.6 9.56 10.4 180 0.10 0.22 0.23 Figure 9: Encryption performance metrics for 10 second trials of 32 bytes messages in the LAN setting with various number of parties n and threshold t. Throughput is computed by performing many encryptions concurrently (single thread per party). Latency is computed by performing sequential encryptions. Bandwidth is total (send + receive) bandwidth consumed at peak throughput. Throughput Latency Bandwidth enc/s ms/enc Mbps t n ( ) ( ) (Throughput ) Γ Γ ΓS ΓPV Γ Γ ΓS ΓPV Γ Γ ΓS ΓPV AES DDH DDH DDH AES DDH DDH DDH AES DDH DDH DDH 6 153,332 570 238 190 81 86 96 101 37 0.14 0.30 0.29 n 12 51,745 399 103 76 81 88 111 117 38 0.29 0.39 0.34 3 18 31,096 303 65 46 81 90 125 139 38 0.37 0.41 0.35 24 775 191 36 26 86 90 132 146 1 0.33 0.31 0.27 4 150,783 571 239 188 81 86 96 104 37 0.14 0.30 0.28 6 76,957 536 150 112 81 86 103 111 38 0.26 0.38 0.34 n 2 12 30,937 297 65 48 82 90 125 131 38 0.36 0.41 0.36 18 11,776 235 42 31 82 92 141 145 23 0.46 0.43 0.37 24 166 132 24 18 102 96 146 149 0 0.36 0.33 0.30 3 150,965 555 238 189 81 86 97 105 37 0.14 0.30 0.28 6 51,535 396 103 77 81 88 112 122 38 0.29 0.39 0.34 2n 3 12 21,484 244 45 35 81 93 123 152 37 0.42 0.40 0.37 18 14,029 174 31 22 82 97 156 169 38 0.47 0.43 0.37 24 446 101 17 13 92 98 164 172 2 0.37 0.33 0.28 Figure 10: Encryption performance metrics for 10 second trials of 32 bytes messages in the WAN setting (shared send+receive 40Mbps, 80ms RTT) with various number of parties n and threshold t.

O(nmin(t,n−t ) ) keys. As such, the single benchmark machine shar- REFERENCES ing 256GB of RAM was not able to handle significantly more than [1] BLAKE2 - fast secure hashing. https://blake2.net/. 24 parties. For instance, with n = 6, t = 4 each party must hold 80 [2] Dyadic Security. https://www.dyadicsec.com. [3] ePrint Archive MPC Papers. http://users-cs.au.dk/psn/list/. bytes of key while the case of n = 24, t = 16 requires each party to [4] Infrastructure Secret Management Software Overview. https://gist.github.com/ hold a 8MB key. In the worst case of t = n/2 with n = 24, the key maxvt/bb49a6c7243163b8120625fc8ae3f3cd. [5] Kerberos: Encryption Types. http://web.mit.edu/kerberos/krb5-latest/doc/admin/ size increases to 22MB per party. However, despite this exponential enctypes.html. blowup, the ΓAES can gracefully handle cases where n is small or the [6] Kerberos: The Network Authentication Protocol. http://web.mit.edu/kerberos/. threshold t is near 2 or n as shown in the bottom half of Figure 9. [7] List of MPC Software. http://www.multipartycomputation.com/mpc-software. [8] List of resources on MPC. https://github.com/rdragos/awesome-mpc. [9] MIRACL Cryptographic SDK. https://www.miracl.com/. [10] Porticor Cloud Security. http://www.porticor.com/. Acquired by Intuit. [11] Sepior. https://sepior.com. WAN Performance. To measure the performance of the protocols [12] Vault Architecture. https://www.vaultproject.io/docs/internals/architecture.html. over the Internet, we benchmark on a (simulated) network with a [13] Vault by HashiCorp. https://www.vaultproject.io/. shared bandwidth of 40 Mbps and an 80ms round-trip time. [14] Vault Docs, Basic Concepts, Seal-Unseal. https://www.vaultproject.io/docs/ concepts/.html. As shown in Figure 10, the bandwidth restriction limits the [15] M. Abdalla, S. Miner, and C. Namprempre. Forward-secure threshold signature throughput of the ΓAES protocol due to it easily saturating the net- schemes. In Cryptographers Track at the RSA Conference, pages 441–456. Springer, work. With n = 6, t = 2, we observe that the throughput drops 7× to 2001. [16] S. Agrawal, P. Mohassel, P. Mukherjee, and P. Rindal. Dise: Distributed symmetric- 153,332 encryption per second. However, this is near optimal given key encryption. In Proceedings of the 2018 ACM SIGSAC Conference on Computer that simply communicating κ bits requires 37 out of the 40Mbps and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, pages 1993–2010, 2018. bandwidth limit. Additionally, the latency of the ΓAES is near the [17] S. Agrawal, P. Mohassel, P. Mukherjee, and P. Rindal. Dise: Distributed symmetric- optimal of 80ms in most cases. The ΓDDH protocol require slightly key encryption. Cryptology ePrint Archive, Report 2018/727, 2018. https://eprint. more time of roughly 90ms in most cases while the strongly-correct iacr.org/2018/727. PV S [18] M. Bellare, O. Goldreich, and A. Mityagin. The power of verification queries ΓDDH and ΓDDH protocols require between 95 and 170ms. in and authenticated encryption. Cryptology ePrint

14 Archive, Report 2004/309, 2004. http://eprint.iacr.org/2004/309. [45] S. Garg, P. Mukherjee, O. Pandey, and A. Polychroniadou. The exact round [19] M. Bellare and S. Keelveedhi. Authenticated and misuse-resistant encryption of complexity of secure computation. In M. Fischlin and J.-S. Coron, editors, EURO- key-dependent data. In P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, 2016, Part II, volume 9666 of LNCS, pages 448–476. Springer, Heidelberg, pages 610–629. Springer, Heidelberg, Aug. 2011. May 2016. [20] M. Bellare and C. Namprempre. Authenticated encryption: Relations among [46] S. Garg and A. Srinivasan. Garbled protocols and two-round MPC from bilinear notions and analysis of the generic composition paradigm. In T. Okamoto, editor, maps. In 58th FOCS, pages 588–599. IEEE Computer Society Press, 2017. ASIACRYPT 2000, volume 1976 of LNCS, pages 531–545. Springer, Heidelberg, [47] S. Garg and A. Srinivasan. Two-round multiparty secure computation from Dec. 2000. minimal assumptions. In J. B. Nielsen and V. Rijmen, editors, EUROCRYPT 2018, [21] M. Bellare and B. Tackmann. The multi-user security of authenticated encryption: Part II, volume 10821 of LNCS, pages 468–499. Springer, Heidelberg, Apr. / May AES-GCM in TLS 1.3. In M. Robshaw and J. Katz, editors, CRYPTO 2016, Part I, 2018. volume 9814 of LNCS, pages 247–276. Springer, Heidelberg, Aug. 2016. [48] R. Gennaro, S. Halevi, H. Krawczyk, and T. Rabin. Threshold RSA for dynamic [22] R. Bendlin and I. Damgård. Threshold decryption and zero-knowledge proofs and ad-hoc groups. In N. P. Smart, editor, EUROCRYPT 2008, volume 4965 of for lattice-based . In D. Micciancio, editor, TCC 2010, volume 5978 LNCS, pages 88–107. Springer, Heidelberg, Apr. 2008. of LNCS, pages 201–218. Springer, Heidelberg, Feb. 2010. [49] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS sig- [23] F. Benhamouda and H. Lin. k-round multiparty computation from k-round natures. In U. M. Maurer, editor, EUROCRYPT’96, volume 1070 of LNCS, pages oblivious transfer via garbled interactive circuits. In J. B. Nielsen and V. Rijmen, 354–371. Springer, Heidelberg, May 1996. editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, pages 500–532. Springer, [50] I. Giacomelli, J. Madsen, and C. Orlandi. Zkboo: Faster zero-knowledge for Heidelberg, Apr. / May 2018. boolean circuits. In USENIX Security Symposium, pages 1069–1083, 2016. [24] A. Boldyreva. Threshold signatures, multisignatures and blind signatures based [51] L. Grassi, C. Rechberger, D. Rotaru, P. Scholl, and N. P. Smart. MPC-friendly on the gap-Diffie-Hellman-group signature scheme. In Y. Desmedt, editor, symmetric key primitives. In E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. PKC 2003, volume 2567 of LNCS, pages 31–46. Springer, Heidelberg, Jan. 2003. Myers, and S. Halevi, editors, ACM CCS 16, pages 430–443. ACM Press, Oct. 2016. [25] D. Boneh, X. Boyen, and S. Halevi. Chosen ciphertext secure public key threshold [52] S. Gueron and Y. Lindell. GCM-SIV: Full nonce misuse-resistant authenticated encryption without random oracles. In D. Pointcheval, editor, CT-RSA 2006, encryption at under one cycle per byte. In I. Ray, N. Li, and C. Kruegel:, editors, volume 3860 of LNCS, pages 226–243. Springer, Heidelberg, Feb. 2006. ACM CCS 15, pages 109–119. ACM Press, Oct. 2015. [26] D. Boneh, K. Lewi, H. W. Montgomery, and A. Raghunathan. Key homomorphic [53] V. T. Hoang, T. Krovetz, and P. Rogaway. Robust authenticated-encryption PRFs and their applications. In R. Canetti and J. A. Garay, editors, CRYPTO 2013, AEZ and the problem that it solves. In E. Oswald and M. Fischlin, editors, Part I, volume 8042 of LNCS, pages 410–428. Springer, Heidelberg, Aug. 2013. EUROCRYPT 2015, Part I, volume 9056 of LNCS, pages 15–44. Springer, Heidelberg, [27] P. Bose, V. T. Hoang, and S. Tessaro. Revisiting AES-GCM-SIV: Multi-user Apr. 2015. security, faster key derivation, and better bounds. In J. B. Nielsen and V. Rijmen, [54] V. T. Hoang, R. Reyhanitabar, P. Rogaway, and D. Vizár. Online authenticated- editors, EUROCRYPT 2018, Part I, volume 10820 of LNCS, pages 468–499. Springer, encryption and its nonce-reuse misuse-resistance. In R. Gennaro and M. J. B. Heidelberg, Apr. / May 2018. Robshaw, editors, CRYPTO 2015, Part I, volume 9215 of LNCS, pages 493–517. [28] R. Canetti. Universally composable security: A new paradigm for cryptographic Springer, Heidelberg, Aug. 2015. protocols. In 42nd FOCS, pages 136–145. IEEE Computer Society Press, Oct. 2001. [55] J. Katz and M. Yung. Unforgeable encryption and chosen ciphertext secure modes [29] R. Canetti and S. Goldwasser. An efficient threshold public key se- of operation. In B. Schneier, editor, FSE 2000, volume 1978 of LNCS, pages 284–299. cure against adaptive chosen ciphertext attack. In J. Stern, editor, EUROCRYPT’99, Springer, Heidelberg, Apr. 2001. volume 1592 of LNCS, pages 90–106. Springer, Heidelberg, May 1999. [56] R. Kusters and M. Tuengerthal. Universally composable symmetric encryption. [30] M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, C. Rechberger, D. Sla- In 2009 22nd IEEE Computer Security Foundations Symposium, pages 293–307, July manig, and G. Zaverucha. Post-quantum zero-knowledge and signatures from 2009. symmetric-key primitives. In Proceedings of the 2017 ACM SIGSAC Conference on [57] S. Micali and R. Sidney. A simple method for generating and sharing pseudo- Computer and Communications Security, pages 1825–1842, 2017. random functions, with applications to clipper-like escrow systems. In D. Cop- [31] D. Chaum and H. Van Antwerpen. Undeniable signatures. In G. Brassard, editor, persmith, editor, CRYPTO’95, volume 963 of LNCS, pages 185–196. Springer, CRYPTO’89, volume 435 of LNCS, pages 212–216. Springer, Heidelberg, Aug. 1990. Heidelberg, Aug. 1995. [32] I. Damgård and M. Keller. Secure multiparty AES. In R. Sion, editor, FC 2010, [58] P. Mukherjee and D. Wichs. Two round multiparty computation via multi-key volume 6052 of LNCS, pages 367–374. Springer, Heidelberg, Jan. 2010. FHE. In M. Fischlin and J.-S. Coron, editors, EUROCRYPT 2016, Part II, volume [33] I. Damgård and M. Koprowski. Practical threshold RSA signatures without a 9666 of LNCS, pages 735–763. Springer, Heidelberg, May 2016. trusted dealer. In B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, [59] M. Naor, B. Pinkas, and O. Reingold. Distributed pseudo-random functions and pages 152–165. Springer, Heidelberg, May 2001. KDCs. In J. Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 327–346. [34] A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function Springer, Heidelberg, May 1999. securely. In 26th ACM STOC, pages 522–533. ACM Press, May 1994. [60] J. B. Nielsen. A threshold pseudorandom function construction and its applica- [35] C. Delerablée and D. Pointcheval. Dynamic threshold public-key encryption. In tions. In M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages 401–416. D. Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages 317–334. Springer, Springer, Heidelberg, Aug. 2002. Heidelberg, Aug. 2008. [61] K. G. Paterson and G. J. Watson. Authenticated-encryption with : A [36] Y. Desmedt and Y. Frankel. Threshold cryptosystems. In G. Brassard, editor, formal security treatment. In Cryptography and Security: From Theory to Applica- CRYPTO’89, volume 435 of LNCS, pages 307–315. Springer, Heidelberg, Aug. 1990. tions - Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th [37] Y. Dodis. Efficient construction of (distributed) verifiable random functions. Birthday, pages 83–107, 2012. In Y. Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages 1–17. Springer, [62] P. Rogaway. Authenticated-encryption with associated-data. In V. Atluri, editor, Heidelberg, Jan. 2003. ACM CCS 02, pages 98–107. ACM Press, Nov. 2002. [38] Y. Dodis and A. Yampolskiy. A verifiable random function with short proofs and [63] P. Rogaway. The Evolution of Authenticated Encryption. https://crypto.stanford. keys. In S. Vaudenay, editor, PKC 2005, volume 3386 of LNCS, pages 416–431. edu/RealWorldCrypto/slides/phil.pdf, 2013. Springer, Heidelberg, Jan. 2005. [64] P. Rogaway and T. Shrimpton. A provable-security treatment of the key-wrap [39] Y. Dodis, A. Yampolskiy, and M. Yung. Threshold and proactive pseudo-random problem. In S. Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages permutations. In S. Halevi and T. Rabin, editors, TCC 2006, volume 3876 of LNCS, 373–390. Springer, Heidelberg, May / June 2006. pages 542–560. Springer, Heidelberg, Mar. 2006. [65] D. Rotaru, N. P. Smart, and M. Stam. Modes of operation suitable for computing [40] A. Everspaugh, R. Chaterjee, S. Scott, A. Juels, and T. Ristenpart. The pythia PRF on encrypted data. Cryptology ePrint Archive, Report 2017/496, 2017. http: service. In 24th USENIX Security Symposium (USENIX Security 15), pages 547–562, //eprint.iacr.org/2017/496. 2015. [66] C.-P. Schnorr. Efficient identification and signatures for smart cards. In G.Bras- [41] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification sard, editor, CRYPTO’89, volume 435 of LNCS, pages 239–252. Springer, Heidelberg, and signature problems. In A. M. Odlyzko, editor, CRYPTO’86, volume 263 of Aug. 1990. LNCS, pages 186–194. Springer, Heidelberg, Aug. 1987. [67] A. Shamir. How to share a secret. Communications of the Association for Comput- [42] E. Fleischmann, C. Forler, and S. Lucks. McOE: A family of almost foolproof on- ing Machinery, 22(11):612–613, Nov. 1979. line authenticated encryption schemes. In A. Canteaut, editor, FSE 2012, volume [68] V. Shoup and R. Gennaro. Securing threshold cryptosystems against chosen 7549 of LNCS, pages 196–215. Springer, Heidelberg, Mar. 2012. ciphertext attack. In K. Nyberg, editor, EUROCRYPT’98, volume 1403 of LNCS, [43] Y. Frankel. A practical protocol for large group oriented networks. In J.-J. pages 1–16. Springer, Heidelberg, May / June 1998. Quisquater and J. Vandewalle, editors, EUROCRYPT’89, volume 434 of LNCS, [69] V. Shoup and R. Gennaro. Securing threshold cryptosystems against chosen pages 56–61. Springer, Heidelberg, Apr. 1990. ciphertext attack. Journal of Cryptology, 15(2):75–96, Mar. 2002. [44] S. Garg, C. Gentry, S. Halevi, and M. Raykova. Two-round secure MPC from indistinguishability obfuscation. In Y. Lindell, editor, TCC 2014, volume 8349 of LNCS, pages 74–94. Springer, Heidelberg, Feb. 2014. 15